Share via

Is it possible to use MSAL access token in SAML flow to skip entering credential step (iOS)

Volodymyr Hryhoriev 1 Reputation point
2022-11-03T14:07:44.937+00:00

Hi folks

Context:
There is an iOS app that communicates with the backend using cookie-based authentication. The iOS app passes auth flow via an embedded web browser (WKWebView) and uses received cookies to authorize API calls. Also, it is possible to set up SAML between the backend and Azure AD (it is handled automatically by WKWebView).

Issue:
If we add a Conditional Access policy, the flow described above will not work (because it is not possible to receive access to the client certificate in WKWebView). So the idea was to use MSAL (because it uses the external browser Safari - ASWebAuthenticationSession) to pass conditional access policy and after that exchange MSAL tokens with our backend cookies (e.g. by passing access token as Authorization header into WKWebView). But I'm not sure that this will work at all.

So the questions are:

  • whether it is possible to use MSAL tokens in SAML flow?
  • what other options do we have to exchange MSAL tokens with app cookies (e.g. Azure Application Proxy, etc)?

Thanks.

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
36,555 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,856 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 16,511 Reputation points Microsoft Employee
    2022-11-09T04:08:02.577+00:00

    Hello @Volodymyr Hryhoriev ,

    MSAL implements the OAuth2.0 and OpenID Connect protocols, and does not support SAML 2.0.

    The general strategy is to add the OIDC/OAuth stack to your app. With your app that implements both standards you can use a session cookie. You aren't exchanging a token explicitly. You're logging a user in with SAML, which generates a session cookie. When the Graph API invokes an OAuth flow, you use the session cookie to authenticate. This strategy assumes the Conditional Access checks pass and the user is authorized.

    The recommended library for adding OIDC/OAuth behavior is the Microsoft Authentication Library (MSAL). Ref: https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-token-exchange-saml-oauth#scenario-you-have-a-saml-token-and-want-to-call-the-graph-api

    Let me know if you have any queries in the comments section.

    Thanks,
    Akshay Kaushik

    Please "Accept the answer" and "Upvote" if the suggestion works as per your business need. This will help us and others in the community as well